Burned by Apple, researchers mull selling zero days to brokers

Mounting frustration with the Apple Security Bounty program could have tangible consequences for the tech giant, as some security researchers said they are considering selling their vulnerability discoveries to zero-day brokers and other third parties.

Since Apple launched its bug bounty program to the public in 2019, several security researchers have criticized the program for a variety of issues. The most visible recent example of this frustration came when researcher Denis Tokarev, who goes by the handle “illusionofchaos,” publicly disclosed three apparent zero-day iOS vulnerabilities, along with a scathing critique of Apple’s bug bounty program. In a blog post, Tokarev accused Apple of not properly crediting him for finding flaws and criticized the company’s communication practices.

Soon after, another researcher known as “impost0r” with the not-for-profit reverse-engineering group Secret Club dropped an apparent macOS vulnerability, along with instructions on how to exploit it.

They are not the first to publicly post zero days after being disgruntled with a vendor. Frustrations with the Apple Security Bounty (ASB) are far from new, but recent events have ignited a new wave of criticism against the tech giant.

Researcher frustrations

Several security researchers who either work or have worked with Apple in the past criticize the company for communication and recognition issues in ASB, and a few expressed a willingness to work with third parties such as zero-day brokers following these frustrations.

Apple Security Bounty began in 2016 as an invite-only bug bounty program for researchers to submit vulnerabilities and exploits to Apple in exchange for monetary rewards. In 2019, zero-day submission became publicly accessible.

According to Apple’s website, the maximum payouts for vulnerabilities vary. For anything that enables “unauthorized access to iCloud account data on Apple Servers,” the maximum payout is $100,000. On the high end, Apple will pay up to $1 million for a “zero-click remote chain with full kernel execution and persistence, including kernel PAC bypass, on latest shipping hardware.”

SearchSecurity spoke with several researchers who have submitted bugs to…


Purdue researchers create ‘self-aware’ algorithm to ward off hacking attempts

WEST LAFAYETTE, Ind. — It sounds like a scene from a spy thriller. An attacker gets through the IT defenses of a nuclear power plant and feeds it fake, realistic data, tricking its computer systems and personnel into thinking operations are normal. The attacker then disrupts the function of key plant machinery, causing it to misperform or break down. By the time system operators realize they’ve been duped, it’s too late, with catastrophic results.

The scenario isn’t fictional; it happened in 2010, when the Stuxnet virus was used to damage nuclear centrifuges in Iran. And as ransomware and other cyberattacks around the world increase, system operators worry more about these sophisticated “false data injection” strikes. In the wrong hands, the computer models and data analytics – based on artificial intelligence – that ensure smooth operation of today’s electric grids, manufacturing facilities, and power plants could be turned against themselves.

abdel-kahlik-groupPurdue researchers have developed a novel self-cognizant and healing technology for industrial control systems against both internal and external threats. The project is led by Hany Abdel-Khalik (center) with Yeni Li, a nuclear engineering postdoctoral associate (right) leading the anomaly detection work and third-year nuclear engineering Ph.D. student, Arvind Sundaram, the covert cognizance algorithms implementation. (Purdue University photo/Vincent Walter)
Download image

Purdue University’s Hany Abdel-Khalik has come up with a powerful response: to make the computer models that run these cyberphysical systems both self-aware and self-healing. Using the background noise within these systems’ data streams, Abdel-Khalik and his students embed invisible, ever-changing, one-time-use signals that turn passive components into active watchers. Even if an attacker is armed with a perfect duplicate of a system’s model, any attempt to introduce falsified data will be immediately detected and rejected by the system itself, requiring no human response.

“We call it covert cognizance,” said Abdel-Khalik, an associate professor…


Security researchers discover Apple Pay and Visa contactless payment hack

Photo (c) martin-dm – Getty Images

A team of security researchers has uncovered a new hack that could allow bad actors to make unauthorized charges through victims’ iPhones. 

In a demonstration to the BBC, researchers from the Computer Science departments of Birmingham and Surrey Universities in the U.K. showed how cyber thieves can exploit a feature in Apple Pay that could leverage unauthorized contactless payments. According to the researchers, the problem lies in how Visa cards are set up in “Express Transit” mode in an iPhone’s wallet. 

Express Transit is an Apple Pay feature that enables commuters to make quick contactless payments without having to unlock their phone. It’s similar to how a commuter might pay for a ride on New York City’s MTA, Los Angeles’ TAP, or Chicago’s CTA. 

How it works

In the demo, researchers showed how easy it was for them to make a Visa payment of £1,000 [$13,460 USD] without unlocking the phone or authorizing the payment. 

All a hacker has to do is set up a commercially available piece of radio equipment near where the iPhone might be used to make a payment, such as a retail store. The hacker can then trick the iPhone into thinking it’s dealing with a legitimate point-of-contact. 

The scary thing is that the crook’s phone and the payment terminal that’s being used don’t need to be anywhere near the victim’s iPhone. “It can be on another continent from the iPhone as long as there’s an internet connection,” said Dr. Ioana Boureanu of the University of Surrey.

Apple and Visa aren’t worried…yet

While the researchers may think the incursion is a real possibility, neither Apple nor Visa are sweating it quite yet. According to the BBC, Apple said the matter was “a concern with a Visa system.” Visa said its payments were secure and attacks of this type were impractical outside of a lab.

Visa told the BBC that it took all security threats seriously, but it says this isn’t something that consumers should worry about. 

“Visa cards connected to Apple Pay Express Transit are secure, and cardholders should continue to use them with confidence,” the company said. “Variations of contactless fraud schemes have been studied in laboratory…


Widely Used Bitcoin ATMs Have Major Security Flaws, Researchers Warn

A m,an using a General Bytes cryptocurrency ATM in Palma de Mallorca, Spain in August 2021.

A man using a General Bytes cryptocurrency ATM in Palma de Mallorca, Spain in August 2021.
Photo: Carlos Alvarez (Getty Images)

Many of the Bitcoin ATMs that have popped up everywhere from gas stations and smoke shops to bars and malls across the U.S. have major security vulnerabilities that render them susceptible to hackers, according to a new report by security researchers with crypto exchange Kraken.

The website estimates there are over 42,000 active Bitcoin ATMs across the U.S., a massive surge from January 2021, when Reuters reported the site listed 28,000. Such ATMs allow users to buy cryptocurrency with cash or credit (though not always the reverse) and process sensitive financial data. Unlike when dealing with regular ATMs operated by banks, the distributed nature of cryptocurrency networks and a lack of regulations mean customers are likely to have less recourse if something goes disastrously wrong. Moreover, target markets for the devices include people who keep money in cryptocurrency rather than banks and people who don’t want their transfers to attract attention, whether for legitimate purposes or otherwise. Many are also located in dicey locations like liquor stores. Thus Bitcoin ATMs have been juicy targets for malware and scams in the past.

Kraken discovered a number of software and hardware flaws with the General Bytes BATMtwo (GBBATM2) model of ATMs. Coin ATM Radar estimates the manufacturer has provided nearly 23% of all crypto ATMs worldwide; in the U.S., that percentage is 18.5%, while in Europe, it is 65.4%.

For example, owners have installed many GBBATM2 units without changing the default admin QR code that serves as a password, meaning that anyone who obtains that code could possibly take control of it. Other issues Kraken wrote it found included a lack of secure boot mechanisms, meaning a hacker could trick a GBBATM2 into running malicious code, and “critical vulnerabilities in the ATM management system.”

The QR code issue is particularly serious, Kraken’s researchers wrote, because it found that the default code is shared across units. This is a bit like buying a new computer and forgetting to change the password to something…